Who is Participating?

Yes you can. There highly likely is an article available for this on Symantec.com, but here is what I did.

-Create a share with read access for users.
-Drop your endpoint installer's (1 for 64 bit, 1 for 32 bit) into the share post exporting it from the management console.
I suggest either renaming the exported Setup.exe to setup32.exe & setup64.exe respectively, unless you prefer to create a subfolder for 32 & 64 bit installer, which is what I will do in this example. (Make sure you update installers from time to time, as the console is upgraded in future releases)
-Create a new text file, and add the below info to it

-Save the textfile as "SymantecPush.cmd" (Note, you need to rename the \\servername\sharename\ to your servers name, and the share where you stored the installers)
-Go to group policy manager, and create a GPO named for example "Symantec Endpoint Push"
In the GPO go to

Computer Configuration>>Policies>>Windows Settings>>Scripts>>Startup

-Under Startup, point to the SymantecPush.cmd file which is located on your installer share or other preferred location where you saved it (Use UNC paths) and finish configuring the GPO.
-Now apply the GPO to the computers OU for the client, and Bob's your uncle.

Happy to help.
Might be an idea to drop it to a test OU first with a single PC in it, make sure AD replicated settings, then reboot that PC and grab a coffee.

By the time you are back, the AV should be there unless it bumped into issues or it is an antique PC, proving it is ok to deploy company wide. (I am pretty sure it is fine as is, but never take a strangers word for it, take precautions)
If you need to remove alternative AV first, I might have a script for that too depending on vendor.
Also do note, this did not cover pushing it to a Mac. This is covered here